Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
733
Views
0
Helpful
4
Replies

NAM & ActivClient Issue

Mike.Cifelli
VIP Alumni
VIP Alumni

‎06-20-2019 08:31 AM

I am wondering if anyone has come across the following scenario and if so what was your fix:

In some areas of our environment we run NAM on our Win10 workstations to utilize eap-chaining.  The machines use ActivClient as the middleware.  We have noticed that sometimes when users select their PIV (authentication) certificate to use for authentication in an attempt to map their UPN to their AD account that ActivClient & NAM pass the UPN without the extended string.  For example, what I mean by that is if my Sub. Alt. Name UPN is 123456789*121005* (121005 being the additional string) that NAM passes 123456789 to ISE and users are not hitting the proper authz policy because ISE does not see/attempt to map their UPN to AD.  We have ran through a lot of tests and will continue to.  

Here are the versions of everything:

ISE 2.4p5 (moving to patch 6 soon)

NAM 4.6.01103

Tested the following versions of ActivClient (7.1.0.153) (7.1.0.213) (7.1.0244)

 

Any help is appreciated.

Labels:
0 Helpful
4 Replies 4

stsargen
Cisco Employee
Cisco Employee

‎06-20-2019 11:22 AM

Hi Mike,

 

A few questions for you.

 

1. What do you have set for your protected identity pattern in the NAM configuration.xml? 

2. Are you allowing NAM to provision PAC files based on the successful authentication?  If you disable the use of PAC's does the issue still occur? 

3. Is SSO in use?

4.  Is this a 4 cert PIV card?  Are the users selecting the correct certificate for authentication?

 

Thanks,

Steve S.

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to stsargen

‎06-20-2019 11:35 AM

Answers in order:

[username]@[domain] for Protected Identity pattern; For example in ISE I see 123456789@mil

I need to test the PAC inquiry

SSO is in use

Yes this is a 4 cert piv card. I have confirmed users are selecting the proper certificate.
0 Helpful

stsargen
Cisco Employee
Cisco Employee
In response to stsargen

‎06-20-2019 01:30 PM

Do you have a DART bundle where extended logging has been enabled that you can post?

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni
In response to stsargen

‎07-01-2019 05:58 AM

Issue has been resolved. Long story short we tested several versions of ActivClient and implemented the following GPO change:
Computer Config->Admin Templates->HID Global->ActivClient->Smart Card and ensure that the PIV is used as the primary certificate
0 Helpful
Customers Also Viewed These Support Documents